The invention relates to a method for transmitting data from a sender to a receiver via a transcoder, which means that the information data is altered and/or reduced before transmitting it to the receiver. The invention further relates to a method for transcoding the information data, particularly for transcoding the information data when it comprises encrypted confidential information data as well as non-confidential information data. The invention also relates to a method of receiving the transcoded information data at a receiver, particularly checking integrity of the information data and trustworthiness of the transcoder. Moreover, the invention relates to a sender, a transcoder and a receiver, combinable to perform transmitting of information data under use of transcoding functionality.
Today, internet-browsing via the world-wide-web is by and large confined to stationary users who have access to browsers running on powerful computing devices such as workstations or PCs. Such devices are not only linked to the Internet via reasonably high-speed and high-bandwidth data connections, but are also equipped with powerful software and hardware for processing and rendering accessible the received multi-media data. Authors make ample use of this infrastructure by creating webpages of ever-increasing complexity, both in terms of the data contents itself which may incorporate a large variety of audio and graphics formats, and executable contents such as applets for advanced functions such as payments, etc.
As users become more accustomed to relying on the web as a general-purpose information source, access to the web is becoming more desirable for users on-the-move, using devices such as mobile telephone handsets or small and lightweight hand-held computing devices. However, users of such devices face problems when trying to access the existing world-wide-web infrastructure: Mobile hand-held devices are connected to the Internet via an unusually slow and fragile data connection. This leads to unacceptably long down-load times for inefficiently formatted data streams.
The typical content-processing capabilities of these portable devices is poor as compared to PCs, as the available computing power is limited and the hardware used to display the retrieved content is unsophisticated. For example, a very simple mobile hand-held device may only be capable of representing text format.
Much of the content offered by servers through the Internet is constructed with the assumption that it will be processed and displayed on a relatively powerful computing device. The server could create several representations of the content where each representation is tailored to a specific computing device such as a pager, a mobile telephone handset, a laptop, a high-resolution PC and so on. However, this requires a significant amount of re-authoring since large portions of existing server content must be manually modified. Maintaining several copies of each single page is also undesirable.
An alternative solution is for the client to use a transcoder service. The function of a transcoder is to reformat content received from a server in order to reduce the amount of information which is to be transferred to the client, given the available restricted bandwidth between server and client, and to ensure that such the transferred data is representable at the client, given the display- and processing capabilities of the client. The transcoder therefore requires knowledge of the data link to the client, and also knowledge of the client""s processing/display capabilities.
Common tasks that the transcoder might perform on content destined for the client include the removal of audio or graphic content, converting between graphics formats, compression and decompression, or converting from a marked-up language, such as HTML, into other data representations, e.g. speech.
Usually all content sent from the server to the client passes through the transcoder. To perform the transcoding, the transcoder requires unrestricted access to all data. As this may include security-sensitive information, the transcoder should therefore be considered a trusted party. Security may then be maintained by establishing a secure channel, for example, by using the Secure-Socket-Layer protocol, SSL, between the server and the transcoder, and a separate secure channel between the transcoder and the client, or by incorporating the transcoder within either the server or the client and using SSL between the two. If the transcoder cannot be trusted, then the transcoding service is limited to operating on content with little or no value.
Unfortunately, incorporating transcoder functionality into the server or client is unacceptable except for few, highly security-sensitive applications, since it involves upgrades to server software and usually server hardware. In addition, mobile devices evolve at high rates and transcoder functionality is likely to evolve at a similar rate, leading to tight software replacement cycles.
External transcoder services which may be offered as a commercial service by a hand-held-device manufacturer, a data network operator or an ISP, and which could be incorporated with existing proxy-servers, are clearly a more suitable and scaleable solution. Unfortunately, such third-party provided transcoders can rarely be viewed as trusted parties. Security must then be provided by applying end-to-end encryption between the server and the client, leaving the transcoder the impossible task of operating on the encrypted data stream.
In conjunction with existing end-to-end encryption methods, known transcoders cannot be used since they require plain-text access to the entire data stream. Their actions cannot be verified by the clients, thus making them even less applicable for security-sensitive data transfers.
A transcoder is e.g. described in U.S. Pat. No. 5,544,266. In U.S. Pat. No. 5,729,293, a device for transcoding coded digital signals which are representative of a sequence of images, which device comprises a variable length decoding channel followed by a variable length encoding and decoding channel, is described. A prediction sub-assembly is connected in cascade between these two channels, and this sub-assembly comprises, in series, between two subtracters a picture memory and a circuit for motion compensation in view of displacement vectors which are representative of the motion of each image. Other implementations are possible, and particularly a scaleable one in which said prediction sub-assembly comprises at least two and more generally a plurality of similar encoding and decoding channels arranged in cascade and corresponding to the same number of image quality levels.
U.S. Pat. No. 5,745,701 describes a system for interconnecting local networks via a public transmission network, in which equipment items of the microcomputer type, connected to a local network are capable of being connected to the public network by a router in order to communicate with one or more equipment items of the microcomputer type connected to at least one other local network, which are capable of being linked to the public network by a router. The system includes security protection of the establishment of the communications between the local networks over the public network, implementing a certificate exchange mechanism and the software procedures for active authentication, of the xe2x80x9cchallenge-responsexe2x80x9d type being placed in the routers. The described network would be a typical application field for using transcoding.
It is an object of the invention according to claim 1 to provide a method for transmitting data from a sender to a receiver via a transcoder which allows using a non-trusted transcoder for transcoding information data which nevertheless can comprise encrypted confidential as well as non-confidential information data.
The method with the features according to claim 1 has the advantage that although confidential information data is transmitted in encrypted form, a transcoding can be done in that the non-confidential information data is transcoded and encrypted confidential information data may be transcoded in that it is removed. No trusted transcoder is necessary and also no additional communication connection between the sender and the receiver to transmit confidential information data.
When the partly encrypted information data is accompanied by a hashing-information allowing content-verification at the receiver of at least part of said partly encrypted information data, an additional security mechanism is thereby realized which hence increases the achievable transmission security and minimizes external fraudulent influence.
It proves of advantage when the information data is subdivided into information data pieces before encrypting and transmitting, since thereby a preciser and more fine-grained information data handling, particularly concerning its parameters can be achieved. Such a parameter is the security which tells, whether an information data piece is confidential or not. Another such parameter is the transcoding-type which tells which transcoding particularities apply to the respective information data, such particularities being e.g. whether the information data piece can be compressed or not, whether it can be omitted or not, a.s.o.
The above explained advantage is increased, when each information data piece is assigned its own piece security information part and piece transcoding-type information part, such that the information data pieces get their own assigned profile, here at least the security- and transcoding-type information. Then the transcoder can individually treat the information data according to its respective profile. Interdependencies between information data pieces is then eliminated.
When an information data piece is assigned its own piece hashing information part, said information data piece being preferably part of said non-confidential information data, again a finer granularity in security can be achieved. Since the hashing implies that the content of the respective information data is not to be altered, only a restricted transcoding functionality can be applied, namely only no transcoding or deletion. Therefore it proves of advantage that such hashing is restricted to the information data where it is in fact needed, such that a maximum transcoding effect can be achieved.
The piece security information parts and piece transcoding-type information parts can be translated into labels according to a translation policy and instead of said piece security information parts and piece transcoding-type information parts, said labels can be transmitted to said transcoder, whereby a policy information, explaining how to interpret said labels, is made available or is already available to the transcoder. The procedure reduces the information to be sent. This is true particularly, where a big number of piece security information parts and piece transcoding-type information parts is to be transmitted, because the saving of data achieved by using the shorter labels is then more and more dominating over the additional data represented by the policy information. This method is comparable to having a short identifier for long to explain actions, like acronyms. The policy information then tells what meaning lies behind the identifier or acronym.
The labels can then be combined in a security- and transcoding-type information packet which is completed by a signature allowing content-integrity-verification at the receiver. This has the advantage that the receiver can make sure if the security- and transcoding-type information packet has been modified or not. If the security- and transcoding-type information packet has not been modified, he can check, whether the received information data has been transcoded according to the rules contained in the security- and transcoding-type information packet. Otherwise he knows that the transcoder has acted incorrectly and that he should not trust the information data received.
It is an object of the invention according to claim 8 to provide a method for transcoding partly encrypted information data, according to the implied security, hence only accessing content of non-confidential information data.
This method with the features according to claim 8 allows in an advantageous manner to transcode the received information data without the need of being trusted. It therefore uses security information and transcoding-type information which tells the transcoder how to treat the incoming information data, namely which of the information data is encrypted and which is not and which transcoding policy it should pursue.
It is an object of the invention according to claim 13 to provide a method of receiving the transcoded information data at a receiver, whereby the compliance of the transcoder with security conditions and transcoding conditions can be tested.
The method with the features according to claim 13 has the advantage that the transcoder trustworthiness test is very simple and relies just on the same information as has used the transcoder for transcoding. Since the security and transcoding-type information is not mingled with the information data, an integrity check of the security and transcoding-type information is facilitated because no transcoding and hence altering access to the security and transcoding-type information is needed.
The use of labels as shortened version of the security- and transcoding-type information is particularly useful, when the therefor-used policy, which is also needed for interpreting the labels, is commonly used and maybe even standardized. Then, the policy information need not be transmitted with the information data but is already present in the transcoder, respectively the labels are understood therein automatically because the transcoder has already implemented the functionality corresponding to the labels. The policy can then be realized in the transcoder directly into the corresponding functionality, thereby avoiding a step of concrete interpretation. For example, when a label xe2x80x9cNTxe2x80x9d arrives, the transcoder could automatically perform no transcoding, since the transcoder has been programmed or determined to treat information data with this label the way that no transcoding shall be performed. The corresponding translation would hence be xe2x80x9cNTxe2x80x9d =no transcoding.
The security- and transcoding-type information packet offers all information which is needed for the transcoder to process the arriving information data correctly. Since the security- and transcoding-type information is not to undergo transcoding, this security- and transcoding-type information packet can be completed with a signature which allows to verify at the receiver if the content of the security- and transcoding-type information packet has been amended somewhere between sender and receiver. Fraudulent or erroneous modification of the security- and transcoding-type information packet can hence easily be recognized at the receiver, which makes the whole information data transmission more secure.
It is an object of the invention according to claim 19 to provide a sender for transmitting data to a receiver via a transcoder which allows using a non-trusted transcoder for transcoding information data which nevertheless can comprise encrypted confidential as well as non-confidential information data.
The sender with the features according to claim 19 has the advantage that although it only needs simple modification with respect to known senders, the advantages of transcoding can be combined with the advantages of secure transmission of security-sensitive, i.e. confidential information data.
A divisor means for subdividing the information data into information data pieces before encrypting and transmitting is relatively easy to implement. Text syntax or image data header information can be used to perform an automatic dividing.
It is an object of the invention according to claim 23 to provide a transcoder for transcoding partly encrypted information data, according to the implied security, hence only accessing content of non-confidential information data.
The transcoder with the features according to claim 23 has the advantage that it is receptive for information data containing encrypted and non-encrypted information data and that it can perform the optimum transcoding possible in that it does not try to access content of the encrypted information data but accesses the non-confidential information data for transcoding. The more the transcoder can dig into the information data, the higher can be the transcoding efficiency due to a preciser knowledge in the transcoder, which information can be reduced to which extent. However, encrypted information data is not accessible to such content analysis which is as intended by the sender. The necessary information how to treat which part of the information data, is derivable from the security- and transcoding-type information.
It is an object of the invention according to claim 25 to provide a receiver for receiving the transcoded information data at a receiver, whereby the compliance of the transcoder with security conditions and transcoding conditions can be tested.
The receiver with the features according to claim 25 has the advantage that it has full benefit of transcoding technique without needing to trust the transcoder or having a separate confidential-information communication line to the sender. Any not allowed modification of the information data on the way form the sender to the receiver is easily recognizable by utilizing the security- and transcoding-type information which itself has been protected against hidden modification. Unrecognized information data falsification is hence not possible, respectively counteracted using encryption technology which depending on the used encryption algorithm provides a very high security.
The problem solved is to facilitate secure end-to-end communication between a receiver, e.g. a client and a sender, e.g. a server, while still permitting an intermediate transcoding service to alter the content according to the capabilities and connectivity characteristics of the client. The proposed solution is based on the server considering its content as two types of information data, one of which should be protected for confidentiality, the other which is non-confidential or even public and can be subject to transcoding. This approach satisfies two goals:
It allows the application of transcoding techniques on a data stream containing security-sensitive data without requiring plain-text access to the security-sensitive data itself and the transcoding done by the transcoder is verifiable by the client.
The method allows a non-trusted transcoder service to operate on a security-relevant data stream without compromising the end-to-end encryption of the security-sensitive data items contained in the data stream.
The information data can be subdivided into a collection of fields, which are either of the confidential or non-confidential type.
In addition, the system is flexible in that the policy regarding the transcodability and security of individual data fields can be specified by the server.
Furthermore, the actions performed by the transcoder can be verified to the extent that the transcoder has only content modified according to a stated policy. The assumption made here is that the secure fields of the content require no transcoding.
The solution is applicable to scenarios where electronic commerce, on-line banking, or other security-sensitive applications are run on Tier-0 or Tier-1 clients with limited input or output capabilities and bandwidth-limited connections to the servers, without requiring the servers to install and maintain a dedicated and trusted transcoder function, or where rapid development cycles for new and improved device capabilities and therefore transcoder functions are expected and where independent transcoder-services are therefore preferred.
Starting from an original information data stream which is divided into data fields, also called information data pieces, the herein proposed method can comprise the following steps:
Inserting additional tags, respectively labels, into the original data stream that mark the data fields in terms of their transcodability, e.g. transcodable, non-transcodable, optional, critical, etc., and their security relevance, e.g. security-sensitive, not security-sensitive, etc., these labels being herein referred to as security labels or piece security information part label and piece transcoding-type information part labels.
Generating a policy document which defines the transcoder-allowed operations for each tag. This policy document or policy information hence provides for the explanation of what the labels mean, how they should be interpreted. This step can be left out if the policy is inherently known in the transcoder.
Separating the security-sensitive information fields and applying end-to-end encryption on those selectively and individually, leaving the non-security-sensitive information fields unencrypted.
Generating a document summary, also referred to as security- and transcoding-type information packet, based on the structure of the original input stream, hence including the security labels and transcoding-type labels.
Allowing the receiver, i.e. client to verify the transcoder actions by comparing the output of the transcoder with the document summary and the policy document.